ScreenOS Firewalls (NOT SRX)
Reply
Visitor
SturmLS
Posts: 4
Registered: ‎11-04-2009
0
Accepted Solution

SSG5 VoIP

Hello all

 

I had a one public ip on eht0/0 x.y.187.33/26. On this interface i had a MIP to mail server and other services. Everything was fine, until we bought edgepoint tandberg 95MXP.

Our provider has allocated public ip's in different subnet for this endpoints  x.y.186.136/29. I configure route x.y.186.136 to eth0/2 and create policy (Untrust to Trust) to allow VoIP Services on x.y.186.138. Eth0/2 have ip x.y.186.137.

And now i have a problems:

1. When h323 alg is on, i can do outgoing call and a quality is perfect, but incoming call don't work. Then i receive incoming call on edgepoint , i can see ringing, but then press Answer the connection is closed.

2. When h323 alg is off, i can do outgoing and receive incoming calls, but the quality is poor. Too many dropped packets (30-40%), video freezes, had a lot artefacts, sound loses words.

 

How to set up SSG5 so that I could make a call with a good quality as well as receive?

Trusted Contributor
Gavrilo
Posts: 279
Registered: ‎07-14-2008
0

Re: SSG5 VoIP

Hi,

 

You can find detailed instructions in the C&E book, however for basic instructions you can do the following:

 

Create a VIP or MIP (It depends if you have extra real IPs)

Create policies allowing  H.323 traffic from and to the virtual ip your mapping to e.g. from your untrust zone or internet connection zone to the VOIP device


Regards

Visitor
SturmLS
Posts: 4
Registered: ‎11-04-2009
0

Re: SSG5 VoIP

Hi

I read this and try to do, but it does not work.

VIP cannot be creating, Message: The Virtual IP must be in same subnet as the interface IP



I configured SSG by http://kb.juniper.net/InfoCenter/index?page=content&id=KB12631

Section 'Server Public IP address is on different network than the Untrust interface IP address'



My final configuration is a combination of KB12631 and C & E book Volume 6 VoIP, but maybe i something doing wrong. Basic problem for me is different subnet for edgepoint. In examples what i find all doing on same ip or subnet.

Visitor
SturmLS
Posts: 4
Registered: ‎11-04-2009
0

Re: SSG5 VoIP

The problem is still actual. Any ideas how to solve it?

Trusted Contributor
Gavrilo
Posts: 279
Registered: ‎07-14-2008
0

Re: SSG5 VoIP

Hi,

 

I think you can only have one VIP instance bound to the untrust interface which you use to map different ports to different IP addresses.

 

So are you trying to add another VIP or just need to add another port to be VIP'ed?

 

You can allways configure "ignore subnetconflict" at the VR level but be sure you know what you are doing. You can then define as many overlapping subnets as you like.

 

Gavrilo

Visitor
SturmLS
Posts: 4
Registered: ‎11-04-2009
0

Re: SSG5 VoIP

I update the firmware to 6.3.0r9 and disable H323 ALG and everything works perfect.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.